Advanced-Threat-Analytics.psm1
#region ----CMDLETS---- <# .Synopsis Set-ATACenterURL is for setting the the URL to be used for the rest of the cmdlets. .DESCRIPTION By default, this module uses localhost as the URL. This can be overwritten with Set-ATACenterURL. It is recommended to run this cmdlet in your profile to prevent having to set it for each new session. .EXAMPLE Set-ATACenterURL -URL atacenter.contoso.com The above cmdlet sets $ATACenter as a global variable in the current session. This variable is used for other cmdlets in this module. #> function Set-ATACenterURL { [CmdletBinding()] Param ( # ATA Center URL. Located in ATA Center Configuration. (Example: atacenter.mydomain.com) [Parameter(Mandatory = $true)] [ValidatePattern('[a-z0-9].[a-z0-9].[a-z0-9]')] [string]$URL ) $Global:ATACenter = "$URL" } <# .Synopsis Resolve-ATASelfSignedCert is used if you are having issues with this module and know you are using a self signed certificate for your ATA Center. .DESCRIPTION Credit to railroadmanuk for most of this code. https://virtualbrakeman.wordpress.com/2016/03/20/powershell-could-not-create-ssltls-secure-channel/ .EXAMPLE Resolve-ATASelfSignedCert The above cmdlet attempts to remediate the SSL error received from using a self-signed certificate. #> function Resolve-ATASelfSignedCert { try { Add-Type -TypeDefinition @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ } catch { Write-Error $_ } [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy } <# .Synopsis Get-ATASuspiciousActivity is used to retrieve suspicious activities triggered in ATA. .DESCRIPTION Running just Get-ATASuspiciousActivity will return a full listing of all SA's. You may also pass in a unique SA ID to fetch information around a single SA. The 'Profile' switch may be used to get more information around the context of the attack. .EXAMPLE Get-ATASuspiciousActivity WindowsEventId : 2007 ExclusionUniqueEntityId : computer 10.1.2.7 SourceComputerId : computer 10.1.2.7 DestinationComputerIds : {ff336d33-81f4-458c-b70b-33f0070ffb20} RelatedUniqueEntityIds : {computer 10.1.2.7, ff336d33-81f4-458c-b70b-33f0070ffb20} IsAdditionalDataAvailable : False SystemCreationTime : 2017-04-17T23:16:49.6943463Z SystemUpdateTime : 2017-05-18T16:22:08.9346648Z ReasonKey : DnsReconnaissanceSuspiciousActivityReason EvidenceKeys : {} HasDetails : True RelatedActivityCount : 1 SourceIpAddresses : {10.1.2.7} Id : 58f54ce12aaea50ff89b38a7 StartTime : 2017-04-17T23:16:33.4600665Z EndTime : 2017-04-17T23:16:33.4600665Z Severity : Medium Status : Open StatusUpdateTime : 2017-05-18T16:22:08.9346648Z TitleKey : DnsReconnaissanceSuspiciousActivityTitle DescriptionFormatKey : DnsReconnaissanceSuspiciousActivityDescription DescriptionDetailFormatKeys : {} Type : DnsReconnaissanceSuspiciousActivity The above command retrieves a listing of all Suspicious Activities. .EXAMPLE Get-ATASuspiciousActivity -Id 58f54ce12aaea50ff89b38a7 -Details Query : contoso.com RecordType : Axfr ResponseCode : ConnectionRefused AttemptCount : 1 DestinationComputerIds : {ff336d33-81f4-458c-b70b-33f0070ffb20} StartTime : 2017-04-17T23:16:33.4600665Z EndTime : 2017-04-17T23:16:33.4600665Z The above example retrieves the details around a specified suspicious activity. .EXAMPLE Get-ATASuspiciousActivity -Id 58f54ce12aaea50ff89b38a7 -Export C:\Temp The above example downloads the Excel file for the specified suspicious activity to the C:\Temp folder. #> function Get-ATASuspiciousActivity { [CmdletBinding()] Param ( # Unique Id of Suspicious Activity. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [ValidatePattern('^[a-f0-9]{24}$')] [string]$Id, # Retrieves more details for the suspicious activity, such as time, query, attempts, result, response, etc. [Parameter(Mandatory = $false, ParameterSetName = 'Fetch')] [switch]$Details, # Downloads the suspicious activity Excel export to the specified folder path. Example: 'C:\temp' [Parameter(Mandatory = $false, ParameterSetName = 'Fetch')] [string]$Export ) begin { if ($Details -and $Excel) {Write-Error "You may not select both 'Excel' and 'Details' switch parameters."} } Process { if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and !$Details -and !$Export) { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id" -Method Get -UseDefaultCredentials $result } if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Details) { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id/details" -Method Get -UseDefaultCredentials $result.DetailsRecords } if ($Details -and !$Id) { Write-Error "You must specify a suspicious activity ID when using the 'details' switch." } if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Export) { try { $ExcelFilePath = $Export + "/SA_$Id" + '.xlsx' $ExcelLocale = 'excel?localeId=en-us' $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$Id/$ExcelLocale" -OutFile $ExcelFilePath -Method Get -UseDefaultCredentials $result } catch { $_ } } if ($PSCmdlet.ParameterSetName -ne 'Fetch') { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities" -Method Get -UseDefaultCredentials $result } } end { } } <# .Synopsis Set-ATASuspiciousActivity is used to update the status of a suspcious activity. .DESCRIPTION This cmdlet requires a suspicious activity ID and a status. Available status types are Open, Closed, and Suppressed. .EXAMPLE Set-ATASuspiciousActivity -Id 58f54ce12aaea50ff89b38a7 -Status Closed; Get-ATASuspiciousActivity | select Id, Status | ft Id Status -- ------ 58f54ce12aaea50ff89b38a7 Closed The above command sets the specified Suspicious Activity to a Closed state, then displays the current status for the SA. #> function Set-ATASuspiciousActivity { [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')] Param ( # Unique Id of the Suspicious Activity [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [ValidatePattern('^[a-f0-9]{24}$')] [string]$Id, # The specified status to update the Suspicious Activity. (Open, Closed, Suppressed) [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [ValidateSet('Open', 'Closed', 'CloseAndExclude', 'Suppressed', 'Delete', 'DeleteSameType')] [string]$Status, # Suppress 'Confirm' dialogue [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $false)] [switch]$Force ) Process { if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Status -ne 'Delete' -and $Status -ne 'DeleteSameType') { if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) { $body = @{} if ($Status) {$body += @{Status = $Status} } if ($Status -eq 'Closed') {$body += @{ShouldExclude = $false} } if ($Status -eq 'CloseAndExclude') {$body += @{ShouldExclude = $true} } $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id" -Method Post -Body $body -UseDefaultCredentials } } if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Status -eq 'Delete') { if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) { $ShouldDelete = '?shouldDeleteSameType=false' $body = @{} $body += @{shouldDeleteSametype = $false} $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id$ShouldDelete" -Method Delete -UseDefaultCredentials } } if ($PSCmdlet.ParameterSetName -eq 'Fetch' -and $Status -eq 'DeleteSameType' -and $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) { if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) { $ShouldDelete = '?shouldDeleteSameType=true' $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/suspiciousActivities/$id$ShouldDelete" -Method Delete -UseDefaultCredentials } } } end { $result } } #region Get-ATAStatus <# .Synopsis Get-ATAStatus retrieves status information for ATA. .DESCRIPTION This cmdlet displays a wide range of information around your current ATA Center components, such as the Center, Gateways, and License. .EXAMPLE Get-ATAStatus -Center | Select -ExpandProperty Configuration AbnormalBehaviorDetectorConfiguration : @{BuildModelsConfiguration=; CreateSuspiciousActivitiesConfiguration=; MinActiveAccountCount=50; SuspiciousActivityCreationDataMaxCount=1000; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} AbnormalKerberosDetectorConfiguration : @{ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} AbnormalSensitiveGroupMembershipChangeDetectorConfiguration : @{LearningPeriod=70.00:00:00; ExcludedSourceAccountIds=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} AbnormalSmbDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} AbnormalVpnDetectorConfiguration : @{ProfileCommonGeolocationsAndCarriesAsyncConfiguration=; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} AccountEnumerationDetectorConfiguration : @{ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} ActivityProcessorConfiguration : @{ActivityBlockConfiguration=; ActivityPostponeBlockConfiguration=; PostponedActivityBlockConfiguration=} ActivitySimulatorConfiguration : @{DatabaseServerEndpoint=; DelayInterval=00:00:15; SimulationState=Disabled} AppDomainManagerConfiguration : @{GcCollectConfiguration=; UpdateExceptionStatisticsConfiguration=} BruteForceDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} CenterTelemetryManagerConfiguration : @{IsEnabled=True; ServiceUrl=https://dc.applicationinsights.microsoft.com/v2/track; ClientInstrumentationKey=fd3f5bd1-3d71-44a3-9209-d94633544903; ClientBufferMaxSize=450; ClientSendInterval=00:10:00; UnsentTelemetrySampleInterval=01:00:00; UnsentTelemetryRetentionPeriod=7.00:00:00; SendSystemTelemetryConfiguration=; SendPerformanceCounterTelemetryConfiguration=; SendAlertTelemetryConfiguration=; SendExceptionStatisticsTelemetryConfiguration=; SendUnsentTelemetriesConfiguration=; UnsentTelemetryBatchSize=20} CenterWebApplicationConfiguration : @{ServiceListeningIpEndpoint=; CommunicationCookieExpiration=00:20:00} CenterWebClientConfiguration : @{RetryDelay=00:00:01; ServiceEndpoints=System.Object[]; ServiceCertificateThumbprints=System.Object[]} ComputerPreauthenticationFailedDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} ConfigurationManagerConfiguration : @{UpdateConfigurationConfiguration=} DatabaseConfiguration : @{ServerEndpoint=; ClientConnectTimeout=00:00:30; ClientServerSelectionTimeout=00:00:30; ConnectionPoolMaxSize=100; WaitQueueSize=1000; ActivityBlockConfiguration=; BackupSystemProfileMaxCount=10; CappedActivityCollectionHighActivityMaxCount=50000000; CappedActivityCollectionLowActivityMaxCount=1000000; CappedActivityCollectionUpdateCurrentCollectionActivityCountConfiguration=; DataDriveFreeSpaceCriticalPercentage=0.05; DataDriveFreeSpaceCriticalSize=50 GB; DataDriveFreeSpaceLowPercentage=0.2; DataDriveFreeSpaceLowSize=200 GB; WorkingSetPercentage=0.25; LogFileMaxSize=50 MB; LogFileMaxCount=10; BackupSystemProfileConfiguration=; DeleteOldCappedCollectionsConfiguration=; MonitorDatabaseConfiguration=} DetectionConfiguration : @{AlertConfiguration=; NotificationVerbosity=Low} DirectoryServicesReplicationDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} DnsReconnaissanceDetectorConfiguration : @{ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} EncryptedTimestampEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} EntityProfilerConfiguration : @{UpdateDetectionProfileConfiguration=; UpdateDirectoryServicesTrafficSystemProfileConfiguration=; EventActivityBlockConfiguration=; NetworkActivityBlockConfiguration=} EntityReceiverConfiguration : @{ActivitiesDroppingEnabled=False; EntityBatchBlockConfiguration=; EntityBatchBlockSizeAccumulationQueueConfiguration=; GatewayInactivityTimeout=00:15:00} EnumerateSessionsDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} ExternalIpAddressResolverConfiguration : @{CacheConfiguration=; FailedResolutionsAccumulationQueueConfiguration=} ForgedPacDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} GoldenTicketDetectorConfiguration : @{KerberosTicketLifetime=10:00:00; ExcludedSourceAccountIds=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} HoneytokenActivityDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} HttpClientConfiguration : @{BufferMaxSize=128 MB; Timeout=00:10:00} IntelligenceProxyConfiguration : @{ConnectionLimit=50; WebClientConfiguration=} LdapBruteForceDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} LdapCleartextPasswordDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} LoadSimulatorRecorderConfiguration : @{IsEnabled=False; UniqueEntityBatchBlockConfiguration=; EntityBatchBlockConfiguration=; FileSegmentSize=5 MB} LocalizerConfiguration : @{LocaleId=en-us} MailClientConfiguration : @{IsEnabled=False; From=; ServerEndpoint=; ServerSslEnabled=False; ServerSslAcceptAnyServerCertificate=False; AuthenticationEnabled=False; AuthenticationAccountName=; AuthenticationAccountPasswordEncrypted=} MassiveObjectDeletionDetectorConfiguration : @{DetectMassiveObjectDeletionConfiguration=; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} MemoryStreamPoolConfiguration : @{BlockSize=128 KB; LargeBlockMultipleSize=1 MB; BufferMaxSize=128 MB} MonitoringClientConfiguration : @{AlertConfiguration=; MonitoringAlertTypeNameToIsEnabledMapping=; RenotificationInterval=7.00:00:00} MonitoringEngineConfiguration : @{CenterNotReceivingTrafficTimeout=01:00:00; GatewayInactivityTimeout=00:05:00; GatewayStartFailureTimeout=00:30:00; MonitoringAlertExpiration=30.00:00:00; DeleteOldMonitoringAlertsConfiguration=; MonitoringCycleConfiguration=} NetworkActivityProcessorConfiguration : @{ParentKerberosResponseTicketHashKeyToParentKerberosDataMappingConfiguration=; SaveParentKerberosBloomFiltersConfiguration=} NotificationEngineConfiguration : @{NotificationCycleConfiguration=} PassTheHashDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} PassTheTicketDetectorConfiguration : @{HandleInvisibleSuspiciousActivitiesConfiguration=; ValidateInvisibleSuspiciousActivitiesTimeout=02:00:00; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} RemoteExecutionDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} ReporterConfiguration : @{ReportTypeToConfigurationMapping=; SendPeriodicReportsConfiguration=} RetrieveDataProtectionBackupKeyDetectorConfiguration : @{OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} SamrReconnaissanceDetectorConfiguration : @{HandleInvisibleSuspiciousActivitiesConfiguration=; OperationRetentionPeriod=00:03:00; RemoveOldOperationsConfiguration=; ExcludedSourceComputerIds=System.Object[]; ExcludedSubnets=System.Object[]; BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} SecretManagerConfiguration : @{CertificateThumbprint=217562C96ECAF3A574303629848640F556A253FB} ServiceSystemProfileConfiguration : @{Id=58f53fded8c26706b8ebb122} SoftwareUpdaterConfiguration : @{IsEnabled=True; IsGatewayAutomaticSoftwareUpdateEnabled=True; IsLightweightGatewayAutomaticRestartEnabled=False; MicrosoftUpdateCategoryId=6ac905a5-286b-43eb-97e2-e23b3848c87d; CheckSoftwareUpdatesConfiguration=} SourceAccountSupportedEncryptionTypesEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} SourceComputerSupportedEncryptionTypesEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} SyncManagerConfiguration : @{UpdateClientsConfiguration=} SyslogClientConfiguration : @{IsEnabled=False; ServerEndpoint=; ServerTransport=Udp; ServerTransportTimeout=00:00:10; Serializer=Rfc5424} TgtEncryptionDowngradeDetectorConfiguration : @{BlockConfiguration=; IsEnabled=True; UpsertProfileConfiguration=} UniqueEntityCacheConfiguration : @{CacheConfiguration=} UniqueEntityProcessorConfiguration : @{HoneytokenAccountIds=System.Object[]; UniqueEntityBlockParallelismDegree=100; UpdateSecurityPrincipalsSensitivityConfiguration=; GetHighFunctionalityDomainControlerIdsConfiguration=; GetHoneytokenAccountIdsConfiguration=} UniqueEntityProfileCacheConfiguration : @{CacheConfiguration=; UniqueEntityProfileBlockConfiguration=; StoreUniqueEntityProfilesConfiguration=} UserAccountClusterDetectorConfiguration : @{ClusterUserAccountsConfiguration=} WindowsEventLogClientConfiguration : @{IsEnabled=True} The above command retrieves the current configuration for the ATA Center. .EXAMPLE Get-ATAStatus -Gateway | Select ServiceStatus, Status, Version, NetBiosName | fl ServiceStatus : Stopped Status : StartFailure Version : 1.8.6229.4854 NetbiosName : 2012R2-DC1 The above example retrieves a list of information for all gateways and displays the ServiceStatus, Status, Version, and NetBiosName of the server. #> function Get-ATAStatus { [CmdletBinding()] Param ( # Retrieves ATA Center status information. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Center')] [switch]$Center, # Retrieves ATA Gateway status information. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Gateway')] [switch]$Gateway, # Retrieves information around the current ATA License. [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'License')] [switch]$License ) Process { if ($Center) {$foo = "center"} if ($Gateway) {$foo = "gateways"} if ($License) {$foo = "license"} $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/systemProfiles/$foo" -Method Get -UseDefaultCredentials } end { $result } } <# .Synopsis Get-ATAMonitoringAlert retrieves all health alerts in ATA. .DESCRIPTION This cmdlet is used to retrieve a list of all health alerts in ATA. Filtering of these alerts can be done post-query. .EXAMPLE Get-ATAMonitoringAlert -Status Open | select Id, TitleKey, Severity, Status, StartTime Id : 59046d2bb5487a052cd5381e TitleKey : GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlertTitleNearExpiry Severity : Medium Status : Open StartTime : 2017-04-29T10:38:35.9741496Z Id : 5911f086b5487a052c205f69 TitleKey : GatewayStartFailureMonitoringAlertTitle Severity : Medium Status : Open StartTime : 2017-05-09T16:38:30.5274492Z The above example retrieves a list of Open monitoring alerts and displays the Id, TitleKey, Severity, Status, and StartTime for the alerts. #> function Get-ATAMonitoringAlert { [CmdletBinding()] Param ( # Status to update the monitoring alert. (Open, Closed, Suppressed) [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [ValidateSet('Open', 'Closed', 'Suppressed')] [string]$Status ) Process { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/monitoringAlerts" -Method Get -UseDefaultCredentials } end { if ($Status) { $result | Where-Object {$_.status -eq $Status} } if (!$Status) { $result } } } <# .Synopsis Set-ATAMonitoringAlert is used to update the status for an alert. .DESCRIPTION Updates a Monitoring Alert's status. .EXAMPLE Set-ATAMonitoringAlert -id 5911f086b5487a052c205f69 -Status Closed The above example sets a specific Monitoring Alert to Closed .EXAMPLE Get-ATAMonitoringAlert -Status Open | Set-ATAMonitoringAlert -Status Closed} The above example gets all Open Monitoring Alerts and sets them as Closed. #> function Set-ATAMonitoringAlert { [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High')] Param ( # Unique Id of the Monitoring Alert [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [ValidatePattern('^[a-f0-9]{24}$')] [string]$Id, # Status to update the monitoring alert. (Open, Closed, Suppressed) [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [ValidateSet('Open', 'Closed', 'Suppressed')] [string]$Status, # Suppress 'Confirm' dialogue [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $false)] [switch]$Force ) Process { if ($PSCmdlet.ParameterSetName -eq 'Fetch') { if ($Force -or $PSCmdlet.ShouldProcess($Id, "Changing status to $Status")) { $body = @{} if ($Status) {$body += @{Status = $Status} } $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/monitoringAlerts/$id" -Method Post -Body $body -UseDefaultCredentials } } } end { $result } } <# .Synopsis Get-ATAUniqueEntity is used to retrieve information around unique entities in ATA. .DESCRIPTION This cmdlet retrieves detialed information around users and computers. The 'Profile' flag can be used to see more detailed information built by ATA. .EXAMPLE Get-ATAUniqueEntity -Id ff336d33-81f4-458c-b70b-33f0070ffb20 DnsName : 2012R2-DC1.contoso.com DomainController : @{IsGlobalCatalog=True; IsPrimary=True; IsReadOnly=False} IpAddress : IsDomainController : True IsServer : True OperatingSystemDisplayName : Windows Server 2012 R2 Datacenter, 6.3 (9600) SystemDisplayName : 2012R2-DC1 BadPasswordTime : ConstrainedDelegationSpns : {} ExpiryTime : IsDisabled : False IsExpired : False IsHoneytoken : False IsLocked : False IsPasswordExpired : False IsPasswordFarExpiry : False IsPasswordNeverExpires : False IsPasswordNotRequired : False IsSmartcardRequired : False PasswordExpiryTime : PasswordUpdateTime : 2017-04-17T17:59:57.0826645Z Spns : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/2012R2-DC1.contoso.com, ldap/2012R2-DC1.contoso.com/ForestDnsZones.contoso.com, ldap/2012R2-DC1.contoso.com/DomainDnsZones.contoso.com, TERMSRV/2012R2-DC1...} UpnName : Description : IsSensitive : True SamName : 2012R2-DC1$ DomainId : 7c915dca-0591-4abe-84c6-2522466bed4d CanonicalName : contoso.com/Domain Controllers/2012R2-DC1 CreationTime : 2017-04-17T17:59:40Z DistinguishedName : CN=2012R2-DC1,OU=Domain Controllers,DC=contoso,DC=com IsDeleted : False IsNew : False Sid : S-1-5-21-3599243929-1086515894-1402892407-1001 SystemSubDisplayName : Id : ff336d33-81f4-458c-b70b-33f0070ffb20 IsPartial : False Type : Computer The above example retrieves information about the specified unique entity. .EXAMPLE Get-ATAUniqueEntity -Id ff336d33-81f4-458c-b70b-33f0070ffb20 -ParentGroupId | foreach {Get-ATAUniqueEntity -Id $_} GroupType : {Global, Security} SystemDisplayName : Domain Controllers SystemSubDisplayName : All domain controllers in the domain Description : All domain controllers in the domain IsSensitive : True SamName : Domain Controllers DomainId : 7c915dca-0591-4abe-84c6-2522466bed4d CanonicalName : contoso.com/Users/Domain Controllers CreationTime : 2017-04-17T17:59:41Z DistinguishedName : CN=Domain Controllers,CN=Users,DC=contoso,DC=com IsDeleted : False IsNew : False Sid : S-1-5-21-3599243929-1086515894-1402892407-516 Id : 9c7c6002-d192-48e8-99c2-1205cbd5f2c9 IsPartial : False Type : Group The above example extracts the parentgroupid from the unique entity and passes it back into Get-ATAUniqueEntity to see the group's information. .EXAMPLE Get-ATASuspiciousActivity | select SourceComputerId | Get-ATAUniqueEntity The above example pipes the SourceComputerId property directly into Get-ATAUniqueEntity to retrieve the entity information for the source computer. #> function Get-ATAUniqueEntity { [CmdletBinding()] Param ( # Unique Id of Unique Entity [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Fetch')] [Alias('SourceComputerId', 'ExclusionUniqueEntityId')] [string]$Id, # Retrieves the profile for the unique entity. [Parameter(Mandatory = $false, ParameterSetName = 'Fetch')] [switch]$Profile, # Retrieves the parent group Id for the unique entity. [Parameter(Mandatory = $false, ParameterSetName = 'Fetch')] [switch]$ParentGroupId ) begin { if ($Profile -and $ParentGroupId) { Write-Error "You may not set both Profile and ParentGroupId."} } Process { if ($Id -and !$Profile -and !$ParentGroupId) { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/uniqueEntities/$Id" -Method Get -UseDefaultCredentials $result } if ($Id -and $Profile) { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/uniqueEntities/$Id/profile" -Method Get -UseDefaultCredentials $result } if ($Id -and $ParentGroupId) { $result = Invoke-RestMethod -Uri "https://$ATACenter/api/management/uniqueEntities/$Id/parentGroupIds" -Method Get -UseDefaultCredentials $result } if (!$Id -and $Profile) { Write-Error "You must specify a unique entity ID when using the 'Profile' switch." } } end { } } #endregion # Export only the functions using PowerShell standard verb-noun naming. # Be sure to list each exported functions in the FunctionsToExport field of the module manifest file. # This improves performance of command discovery in PowerShell. Export-ModuleMember -Function *-ATA* |